Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google's Audio CAPTCHA Falls To Automated Attack

kdawson posted more than 6 years ago | from the what-you-say dept.

Google 145

SkiifGeek writes "Early in March, Wintercore Labs published proof of a generic approach to defeating audio CAPTCHAs, using Google's as the case study for their demonstration. With claims of over 90% success rate and expectations that this can be significantly improved with the right mix of filtering algorithms, the in-house tool remains unreleased. But it shouldn't take long for other developers to create their own tools and start targeting not only Google, but other sites that use audio CAPTCHAs for the vision-impaired. It isn't the first time that major sites (significantly major webmail providers) have had their CAPTCHAs broken, but it is the first reporting of defeating an audio CAPTCHA using a generic software approach. News about the discovery is slowly starting to spread."

cancel ×

145 comments

Sorry! There are no comments related to the filter you selected.

Adapt the visual approach (1)

MagdJTK (1275470) | more than 6 years ago | (#23274974)

How long before they start saying the word over a background of static, jungle noises and beeping so that even the best trained of ears require three or four listens to decipher it?

Re:Adapt the visual approach (3, Interesting)

carlvlad (942493) | more than 6 years ago | (#23275132)

I hardly ever fail CAPTCHAs before, but ever since RapidShare implements their new CAPTCHAs it made me realized of how many more people suffered through annoyance of this. Kinda ironic though, it was supposed to weed out non-human. Reminds me of the Dilbert strip where PHB is considered the first human to fail the Turing Test.

Re:Adapt the approach (2, Interesting)

asCii88 (1017788) | more than 6 years ago | (#23275484)

I think they should make captchas that require some kind of rational thinking. For example they could say "Write the third word of this sentence" And of course the answer should be "third". That's lot more difficult to be cracked and if you look at the infinite variations you can make to it, you can say it's uncrackable until they can make a bot that understands natural speech.

Re:Adapt the approach (0)

iago-vL (760581) | more than 6 years ago | (#23275746)

The problem with that is reverse engineering the software. It could work in one case, but if you release the source you'd have problems.

Re:Adapt the approach (1)

nozzo (851371) | more than 6 years ago | (#23275916)

why did someone mod the parent -1?

Re:Adapt the approach (1)

hostyle (773991) | more than 6 years ago | (#23276048)

huhuh beavis, he said "rational" ... huhuh

Re:Adapt the approach (1)

Hmmm2000 (1146723) | more than 6 years ago | (#23276950)

I dont think it was a mod down .. he has a history of troll comments and his karma has suffered as a result.

Re:Adapt the visual approach (1)

vbraga (228124) | more than 6 years ago | (#23276506)

RapidShare paying users don't see the captcha. It's there just to annoy non paying users and get them to pay.

Re:Adapt the visual approach (1)

fbjon (692006) | more than 6 years ago | (#23275960)

If you listen to Google's captcha, you'll see that it is filled with nonsense voices as well as the real voice. You can still make out the real voice, but it's not entirely trivial. A great improvement, like TFA suggests, would be to use complete words rather than numbers, which turns it into a full voice-recognition problem for an attacker. Also, some manner of distortion in both time and frequency domain should thwart this attack. The only problem is that distorting in the frequency domain isn't all that easy, if you want the voice to be understandable..

Re:Adapt the visual approach (1)

jchernia (590097) | more than 6 years ago | (#23276556)

It's getting to the point where the spammers are solving real, previously unsolved problems with their spamming code. Perhaps this can be harnessed for the good "solve the following protein folding problem", "write a transcript for the following bit of audio" then we'll let you send 100 spam emails.

Re:Adapt the visual approach (1)

severoon (536737) | more than 6 years ago | (#23278000)

They don't have to do audio captchas where you type in directly what is said. They could require simple calculations or something like that to make it very hard for a computer to crack without sophisticated natural language processing.

Enter the first letter of each word: Light Apples Meddle Blindly. (User enters: LAMB) Enter every other word: big white ben light. (User enters: "big ben" or "white light"). What is 14 plus 9? (User enters: 25)

Add static and nonsense voices and these are all difficult things for the computer to figure out. From an audio stream, it would have to understand an instruction given in natural language and then carry it out. The universe of simple problems that could be presented to users is virtually unlimited.

More easier to detect a bot (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23274984)

It's more easier to detect a bot using audio captcha because a high number of simultaneous impaired users from a single IP is much less likely to happen than regular captcha.

Re:More easier to detect a bot (2, Insightful)

liquidpele (663430) | more than 6 years ago | (#23276092)

As if 400 tries in an hour with an 50% failure rate from one IP wouldn't throw flags with any type of captcha.... I really can't understand how these services can *not* see bots doing this, unless the bots are doing it at slow random intervals...

Re:More easier to detect a bot (2, Insightful)

Gavagai80 (1275204) | more than 6 years ago | (#23276292)

In the case of a high profile target like gmail, they're doing it from thousands of IPs in a botnet.

Re:More easier to detect a bot (4, Funny)

Keichann (888574) | more than 6 years ago | (#23276296)

If only somebody could distribute their bots into a kind of network? Then you'd get traffic arriving from all over the place, that would be significantly more difficult to detect!

Quick, mod this post down, in case a neer-do-well were to get any ideas.

fr1st psot?? (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23274994)

slashdot is dying, etc

What do celebrities use? Pads or tampons? (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23275008)

What do celebrities use? Pads or tampons?

What do you think and why?

1) Ashlee Simpson
2) Jessica Simpson
3) Paris Hilton
4) Hillary Duff
5) High School Musical Girls

I think it varies, here's what I think:

1) Ashlee Simpson - Pads for sure
2) Jessica Simpson - Tampons
3) Paris Hilton - Tampons
4) Hillary Duff - Pads
5) High School Musical Girls - Pads

Re:What do celebrities use? Pads or tampons? (1)

nautsch (1186995) | more than 6 years ago | (#23277482)

Wheres the mod "grose"?

probably borrowing from IVR technology (2, Interesting)

revlayle (964221) | more than 6 years ago | (#23275046)

some of the advanced IVR solutions (Interactive Voice Response... for like customer support or paying bills on the phone) can pick out numbers and words pretty well even under some noise conditions. so I am not totally surprised that this cracked the audio CAPTCHA.

Re:probably borrowing from IVR technology (1)

Dancindan84 (1056246) | more than 6 years ago | (#23275236)

I'd think it's easier to differentiate between known responses than pick out an arbitrary word though. What I mean is, in those IVR situations the software is usually just trying to differential between yes/no, accounts/support etc. The most advanced I've seen it is one where you could speak your credit card number, which is still just differentiating between a larger set (0-9).
That was -going- to be my response as I assumed the audio CAPTCHA just played a recording of the word displayed in the normal CAPTCHA, but I just went and tried out google's and it does exactly what my credit card example describes except even shorter (6 digit number with background noise). So yeah... not that surprising.

Re:probably borrowing from IVR technology (1)

revlayle (964221) | more than 6 years ago | (#23275330)

If it was an arbitrary word, I could see additional difficulties then, of course... you would have to have speech-to-text technology that can distinguish words out of noise.

Re:probably borrowing from IVR technology (1)

Mathinker (909784) | more than 6 years ago | (#23275706)

But then the human would also need to be able to spell.

Re:probably borrowing from IVR technology (1)

English French Man (1220122) | more than 6 years ago | (#23276654)

True, Have someone tried the voice recognition integrated to Windows Vista? I tried it, and was really impressed. Speech to text exists for almost ten years now, so I'm not impressed with this news whatsoever...

Advantage for the Chinese (1)

Mathinker (909784) | more than 6 years ago | (#23277458)

I wonder how far advanced voice recognition for Mandarin Chinese is. My guess is that it is far behind what is available for English. This would mean that Chinese web sites are at an advantage with respect to word-based audio CAPTCHAs.

Re:probably borrowing from IVR technology (2, Insightful)

Qzukk (229616) | more than 6 years ago | (#23275342)

IVR works as well as it does because it only has to understand numbers when it's expecting numbers and words when it's expecting words (and then only the words it expects to hear, try yelling "banana" at one). Also try calling your credit card company and telling it your card number is four quadrillion three hundred fifty-two trillion one hundred twelve billion five hundred forty-two million six hundred ninety-five thousand and one.

If your audio captcha reads each letter one at a time, then your "IVR" only has to be able to distinguish 26 sounds (36 if you have digits too).

Re:probably borrowing from IVR technology (5, Funny)

natebarney (987940) | more than 6 years ago | (#23275686)

four quadrillion three hundred fifty-two trillion one hundred twelve billion five hundred forty-two million six hundred ninety-five thousand and one
And what's the three digit security code?

So (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23275054)

So, how 'bout them niggers?

It was bound to happen (2, Interesting)

Half-pint HAL (718102) | more than 6 years ago | (#23275092)

Right from the start it was clear that audio captchas were theoretically easier to break than visual ones.

An image captcha is designed to require a mixture of perception and thought, but an audio one has to rely on pure perception, because it's temporary. You hear it then it's gone: you can't analyse it. This makes it infinitely less complicated that a video one.

It's only because of low uptake that it's taken so long for a true proof-of-concept attack.

HAL.

Re:It was bound to happen (1)

VeNoM0619 (1058216) | more than 6 years ago | (#23275604)

I thought the same, but now that's been publicized, it's only a matter of time before you get audio captchas that you can't even decipher.

Re:It was bound to happen (1)

Ucklak (755284) | more than 6 years ago | (#23276150)

You could mix an audio question with an image.

You could display an image and ask a question about the image;

"What color is the shirt on the man?"
"How many doughnuts are displayed?"
"How many animals are not cats?"

Same image could be used for a series of questions.

Failures are logged against IP address, unusually high numbers are banned.

Of course, on first look, that keeps a random element out of it so you could have separate elements and combine them for a captcha image;

-different colored background
-guy on a bike
-3 cats and 1 dog
-6 doughnuts

A pool of elements are combined to create an image and a random question from an element is picked.

Re:It was bound to happen (1)

Dorceon (928997) | more than 6 years ago | (#23276290)

Yes, an audio question about an image is a great way to adapt CAPTCHAs to the vision impaired. An audio question about the audio, on the other hand.

Re:It was bound to happen (0)

Anonymous Coward | more than 6 years ago | (#23276550)

This would defeat the purpose of audio CAPTCHAS. They are actually designed for the visually impaired. If you could just ask them to see the screen, they would be able to use the visual CAPTCHAS instead



I wonder, however, how much the system would improve if they used singing voices. Those could probably be harder to parse. In them, the voice could ask some questions like math operations, etc. That could probably make it harder to guess by a computer.

Re:It was bound to happen (1)

rcamera (517595) | more than 6 years ago | (#23276734)

there's a very serious problem with this approach: it is trivial to brute force. if the question states "how many", then that implies a quick human countable number. guess a number from 1 to 10. is that the correct answer? try a different number 1 to 10. is that it? for your "what color" question, i can think of ~10 legit colors (is it mother-of-pearl or white, navy blue or blue?). once again a brute force approach works pretty well.

if reading words/characters/numbers from an image is solvable by a captcha-cracking program, don't you think it would be pretty trivial to write a brute-force algo?

Re:It was bound to happen (1)

Blakey Rat (99501) | more than 6 years ago | (#23277196)

The entire point of audio CAPCHAs is that they can be used by the visually impaired using screen-reader browsers.

Your proposal completely defeats that.

Also, ideally, your system wouldn't require any cultural knowledge beyond knowledge of the language. For instance, someone born and raised in Zambia could potentially have never heard of a "doughnut," even if they know English.

Re:It was bound to happen (2, Interesting)

firewrought (36952) | more than 6 years ago | (#23276612)

An image captcha is designed to require a mixture of perception and thought, but an audio one has to rely on pure perception, because it's temporary.
I think your explanation is missing something, but I can't quite put my finger on what it is. Maybe it would be more accurate to say that audio captcha are simpler to process because (1) researches can't pump as much information thru the ears as they can thru the eyes [sensorary bandwidth is different] and (2) there's not a whole lot we can do to obfuscate a sound stream [as opposed to an image which can have lots of unused parts where we can throw whatever noise we want to].

Note that you could make audio captcha require thought. Someone else mentioned asking questions that require specific answers, but that might be difficult to automate: you would need a corpus with thousands of questions that require one-word answers. Perhaps the best way to do that would be to get your hands on a database of crossword puzzles and randomly generate questions like "3 letter word for pet, beginning with 'C'". Exclude words that don't appear in a modestly-sized dictionary, exclude certain obscure words that appear in crosswords way more than normal English (like "adit"--a mine entrance), and make it easy for people to get a new clue if they're having trouble guessing the current one.

Spread the love (4, Funny)

snarfies (115214) | more than 6 years ago | (#23275140)

"News about the discovery is slowly starting to spread."

And, thanks to Slashdot, news about the discovery is now RAPIDLY spreading.

captchas are obsolete (2, Interesting)

Anonymous Coward | more than 6 years ago | (#23275146)

do something else. show me a picture of an object and ask me (in a multiple-choice test?) what it is...a tree, a car, a house, a flower, whatever.

and for the sight-impaired, how about a read description or definition of something? "this thing is the entrance to a house or a room" => door

come on, webdesigner, it's not that hard to abandon those old and, above all, ANNOYING captchas

Re:captchas are obsolete (0)

Anonymous Coward | more than 6 years ago | (#23275370)

do something else. show me a picture of an object and ask me (in a multiple-choice test?) what it is...a tree, a car, a house, a flower, whatever.

This is just a variation of the regular captcha using pictures instead of letters. It has the same vulnerabilities. If used undistorted it is merely a matter of building a dictionary of pictures, if distorted it has the same strengths and weaknesses of the same distortion applied to letters.

and for the sight-impaired, how about a read description or definition of something? "this thing is the entrance to a house or a room" => door

This one is actually rather good because it requires some fantasy and imagination, something computers are really bad at. It reminds me of the movie blade runner where humans are distinguished by their ability to understand feelings. Perhaps a good captcha would be "You're in the desert and see a turtle on its back unable to get up, do you help it?". As a bonus this might keep some of the less human humans away from your webpage : )

Re:captchas are obsolete (1)

Talderas (1212466) | more than 6 years ago | (#23275688)

It reminds me of the movie blade runner where humans are distinguished by their ability to understand feelings. Perhaps a good captcha would be "You're in the desert and see a turtle on its back unable to get up, do you help it?". As a bonus this might keep some of the less human humans away from your webpage : )
What desert?
Why am I there?
Do you come up with these questions, or do they write them down for you?
What do you mean I'm not helping?

Re:captchas are obsolete (1)

joelpt (21056) | more than 6 years ago | (#23276190)

This is just a variation of the regular captcha using pictures instead of letters. It has the same vulnerabilities. If used undistorted it is merely a matter of building a dictionary of pictures, if distorted it has the same strengths and weaknesses of the same distortion applied to letters
How about "describe this scene"?

Visual scenes involving objects could be dynamically 3d-rendered to defeat "image dictionary" attack strategies.

For example, "the [cat] is [under] the [car]". The three bracketed terms could be replaced with a large set of nouns or verbs/prepositions.

This scene description could then be rendered from a number of different camera positions/angles; colors changed; and background or extraneous/obscuring foreground objects added.

Until computer intelligence reaches the level of human intelligence for interpreting visual information, there are still CAPTCHA methods available that can't be reliably broken using automated (non human) methods.

Re:captchas are obsolete (1)

blhack (921171) | more than 6 years ago | (#23276206)

or "When littlefoot's mother died in the original land before time, did you feel sad?"

bots, no lying!

i'll even provide a link ;-) xkcd, obviously [xkcd.com]

Re:captchas are obsolete (1)

junglee_iitk (651040) | more than 6 years ago | (#23276716)

One day all your web-site hosting captcha creating jobs are going to be outsourced to India and they you all you going to complain about accents :P

Re:captchas are obsolete (1)

nebulus4 (799015) | more than 6 years ago | (#23275402)

do something else. show me a picture of an object and ask me (in a multiple-choice test?) what it is...a tree, a car, a house, a flower, whatever.

and for the sight-impaired, how about a read description or definition of something? "this thing is the entrance to a house or a room" => door
Unfortunately, this doesn't work because you'll only have a limited set of objects, so it shall be relatively easy to collect all of the items.

Re:captchas are obsolete (1)

eht (8912) | more than 6 years ago | (#23276072)

Handful? try two million and growing

http://www.quickonlinetips.com/archives/2007/03/microsoft-asirra-captcha-with-pets/ [quickonlinetips.com]

this was on slashdot a while back but i'm too lazy to find the post

Re:captchas are obsolete (1)

nebulus4 (799015) | more than 6 years ago | (#23276996)

Quote from Asirra's FAQ:

Is it accessible? Aisrra is not meant to be an alternative to all HIPs, only visual HIPs. Accessible websites, such as Microsoft's Hotmail signup page, typically have both a visual and audio HIP. Asirra is only meant as an alternative to the warped letters, but is orthogonal to accessible alternatives such as Hotmail's audio version of dictated digits.
Do I need to say anything else?!

Re:captchas are obsolete (0)

Anonymous Coward | more than 6 years ago | (#23275474)

show me a picture of an object and ask me (in a multiple-choice test?) what it is...a tree, a car, a house, a flower, whatever.

Um, that's not "something else". That's a CAPTCHA.

and for the sight-impaired, how about a read description or definition of something? "this thing is the entrance to a house or a room" => door

That's a CAPTCHA too. And it isn't feasible. You need to be able to easily generate hundreds of thousands of non-guessable permutations and their correct answers. How do you propose they do that?

Re:captchas are obsolete (0)

Anonymous Coward | more than 6 years ago | (#23276066)

well, as far as i can tell, there are only about a few dozen different captchas on /. at the moment, so getting about 100 definitions should be ok. make it fill-in answers and not multiple choice and you should be covered.

Re:captchas are obsolete (0)

Anonymous Coward | more than 6 years ago | (#23276214)

there are only about a few dozen different captchas on /. at the moment

Slashdot aren't Google, and you can't spam people with Slashdot. Slashdot are an infinitesimally tiny target compared with Google.

Re:captchas are obsolete (3, Interesting)

mapkinase (958129) | more than 6 years ago | (#23276084)

Multiple choice are just silly. If there are 5 choices, in about ~5 tries the robot will pass the protected entrance.

Re:captchas are obsolete (1)

veganboyjosh (896761) | more than 6 years ago | (#23277058)

Couldn't there be 20 choices, but only 3 shown? The bot would read the code and see 20 choices, but the human would only see 3 or 5 or whatever.

Re:captchas are obsolete (1)

stars_are_number_1 (788251) | more than 6 years ago | (#23277624)

Or how's about, if it takes the user five tries to get past the question, the account gets locked out. I'm sorry but if you're that stupid, I don't feel sorry for you not being able to use the internet.

Re:captchas are obsolete (1)

MBGMorden (803437) | more than 6 years ago | (#23278250)

Wait, do you really mean account, or IP?

If IP, then no luck. Bots jump IP's like crazy.

If account (as in a login), then every person who gets their name used by a bot gets bitten. Given the ammount of email backscatter I've been getting lately from spammers using my email as a return address, that's certainly not something I look forward to.

Re:captchas are obsolete (1)

Wavebreak (1256876) | more than 6 years ago | (#23278286)

Er, you have to have code for what to show to the user at some point, and as such it's pretty much trivial for a bot to get the same information.

Multiple choice tests? (1)

pathological liar (659969) | more than 6 years ago | (#23276218)

The answer is given to you in the question in a multiple choice test. One of the choices has to be the correct one, which means you can trivially bruteforce it.

Re:captchas are obsolete (0)

Anonymous Coward | more than 6 years ago | (#23276690)

some one reply him with "cat" and "puppy" and "re-captcha" type of captcha's link.... *yawn*

Re:captchas are obsolete (1)

AnomaliesAndrew (908394) | more than 6 years ago | (#23277550)

I'm going to start asking my users riddles to validate themselves.

"I am a news-for-nerds website whose domain name was intentionally selected to be confusing to laypeople. What am I?"

Are all audio CAPTCHAs failures? (3, Interesting)

MrCrassic (994046) | more than 6 years ago | (#23275148)

So given that (I assume) all audio CAPTCHAs have the same problem (i.e., the numbers and clearer voices can easily be found using audio analysis), does that mean that all audio-based CAPTCHAs are bound to fail?

Re:Are all audio CAPTCHAs failures? (1)

Zerth (26112) | more than 6 years ago | (#23276212)

Not necessarily, humans are still much more adept at extracting voices from noise(e.g. conversations in crowded conventions) but I imagine people will quickly consider them almost as annoying as the worst of visual CAPTCHAs.

Re:Are all audio CAPTCHAs failures? (1)

MrCrassic (994046) | more than 6 years ago | (#23276386)

I can see a main problem with that: to ensure some degree of entropy, one would have to record enough CAPTCHAs to satisfy all possible combinations of the English alphabet. That's a lot! Even if that is the case, that is actually less secure than an automated audio CAPTCHA because, if anything, hackers can simply download all recorded CAPTCHAs and crack the systems that way.

Essay Test (1)

FurtiveGlancer (1274746) | more than 6 years ago | (#23275152)

I'm sorry it's come to this, but before you may log on, I'll need a 200 word essay on the virtues of Microsoft. Spelling and grammar will count against you, especially if they are perfect. That means either you are a machine or you need to lighten up. Did I mention the five minute time limit?

Scary, isn't it?

Re:Essay Test (1)

WK2 (1072560) | more than 6 years ago | (#23276376)

A CAPTCHA has to be completely automated. Grading an essay test would be hard to automate.

Weird audio captcha (0)

Anonymous Coward | more than 6 years ago | (#23275182)

Am I the only one who felt that the visually impaired were being treated harshly? The audio captcha sample in the video linked from the 0x000000 site was horrible!

In contrast the /. audio captcha at the end of this form is nice to hear.

Solving CAPTCHAs is a waste of time (2, Insightful)

sakdoctor (1087155) | more than 6 years ago | (#23275250)

Apart from OCRing books, I can't think of anything else that is not a total waste of human time. How about meta-moderating as a CAPTCHA activity; probably too fuzzy to work to a reasonable degree of accuracy.

Basically I think the arms race is already over, and a new paradigms is needed,

Re:Solving CAPTCHAs is a waste of time (1)

mgblst (80109) | more than 6 years ago | (#23275770)

Classifying porn pictures. This is very useful, girl-on-girl, top half only, etc...

Realistically, providing one word description for a bunch of pictures could be useful. I know google setup a "game" for this months ago.

Re:Solving CAPTCHAs is a waste of time (0)

Anonymous Coward | more than 6 years ago | (#23275856)

"Basically I think the arms race is already over, and a new paradigms is needed"

And if we hit that bulls-eye, the rest of the dominos will fall like a house of cards. Checkmate, spammers.

CAPTCHA technology has a long fight ahead (2, Interesting)

Thornburg (264444) | more than 6 years ago | (#23275316)

CAPTCHA technology is going to have a very difficult time over the next few years. Finding tasks (which can be implemented on standard computer systems and transmitted over the internet) that are trivial for humans but exceedingly difficult for computers is going to be rough.

This is especially true because the computer doesn't need a 100% success rate to effectively "break" the CAPTCHA. Heck, if the CAPTCHA gives you 3 tries before rejecting you, then a 30% success rate = fully broken.

For right now, they are still working their way through tasks that CAN be easy for computers, but no one has bothered with yet. This means that breaking the CAPTCHA is simply a matter of writing and tuning some algorithms.

I think the next step (but not the be-all/end-all of CAPTCHAs) will be a parallel approach. Give the person 4 visual or auditory CAPTCHAs, and require them to successfully solve 3 out of 4 to pass, preferably with some kind of relational puzzle regarding the answers, or at least a simple question...

EXAMPLE:

A typical obfuscated-word type CAPTCHA in 4-way parallel, the four words are KITTEN PIGLET PUPPY TOASTER, then you are asked, "Which of these is NOT a baby animal?"

Obviously this technique requires either a complete solution from the user (4/4 words correct), or requires the system to reveal the answers, which could lead to an attack based upon a dictionary-building system, which would require a massive database size (and/or a frequently updated database) to prevent.

There is room for some really innovative work in this field, as the battle will probably continue for quite a while, with ever-increasing computational speed making it more difficult.

In the end, it comes down to this:

There is nothing non-biological that every human can do but no computer can do.

Re:CAPTCHA technology has a long fight ahead (1)

lbgator (1208974) | more than 6 years ago | (#23275578)

I like this idea. How about instead of the words "kitten piglet puppy toaster" you have images? A kitten can be drawn 1000s of ways so that the attacking computer would have to get a lot right to be successful: they have to correctly identify the thing in the picture and THEN answer a question about it. I think my grandma would have an easier time with simple questions about simple images than the current CAPTCHAs.

Re:CAPTCHA technology has a long fight ahead (1)

dw604 (900995) | more than 6 years ago | (#23275720)

What is the third word in this sentence? What is the second letter in the first word of this sentence? The possibilities are limitless. Computers can't "think".

Re:CAPTCHA technology has a long fight ahead (1)

CapnStank (1283176) | more than 6 years ago | (#23276164)

Problem with the 'rational' approach is that it isn't that simple. These problems have to be designed and implemented which takes time and money from the designers. Yes it is simple but not as simple as generating a random string which takes a one time code.

If you only have a set list of rational problems then you're going to run into the problem of dedicated spammers who will simply create a method of cracking it based on previous results.

Re:CAPTCHA technology has a long fight ahead (1)

sidb (530400) | more than 6 years ago | (#23276786)

The problem is that captchas have to be computer-generated on the fly. It's hard to think of things a computer can easily do in one direction, that a similar computer cannot undo, but that a human can easily undo. Relationship puzzles between words won't work because the attacking computer probably has dictionary resources very similar to the defending computer's.

Ethically ugly. (1)

FunkSoulBrother (140893) | more than 6 years ago | (#23275320)

Spam is already a pretty ethically dubious thing, but this should be viewed differently in the eyes of the law (in the event we actually catch somebody behind it in a 1st world country). Sort of how if you assualt an able bodied man on the street you'll be punished, but assault a grandma with a walker or a boy in a wheelchair, and you'll likely have the book thrown at you. Abusing handicapped accessiblity should really fall into the "boy in a wheelchair" category.

You'd almost hope that the same sort of honor amongst theives that (sometimes) keeps a common mugger from attacking children might keep spammers from attacking acessibility loopholes, but with anonymity, I think you'll find the former a lot more ethical than the latter, on average.

Re:Ethically ugly. (1)

Grave (8234) | more than 6 years ago | (#23275494)

Your analogy is a bit off base. More accurate might be to hope that spammers wouldn't abuse the accessibility loopholes in the same vein that criminals don't park in handicap spaces while they're inside robbing the store. Oh wait, they probably do.

Re:Ethically ugly. (0)

Anonymous Coward | more than 6 years ago | (#23276352)

Mod parent up. Excellent shoehorning of a car analogy.

Paid humans beat captchas (2, Interesting)

davidwr (791652) | more than 6 years ago | (#23275338)

Paying 3rd-world human beings usually gets past captchas.

A partial solution is to limit the services you offer based on how well you know them. Anonymous? Offer very limited services.
Anonymous but tied to an existing email address? Offer a bit more.
Authenticated by credit card, which could be stolen? Offer a bit more.
Authenticated by PO box? Offer more.
Authenticated by street address, driver's license number, and a notary? Assume they are legit, you can always sue the notary if they aren't.

Authenticated against an email address that you know has X degree of authentication? Treat them like they have X degree of authentication.

For email, USENET, and IM services, offer a relatively low limit on outgoing data for free services, charge $1/year to a credit card or checking account OR require a copy of a state-issued ID to remove the limit. Watch for multiple free accounts from the same person and give them a collective limit the same as a single free account.

Re:Paid humans beat captchas (1)

Archangel Michael (180766) | more than 6 years ago | (#23275466)

"Authenticated by street address, driver's license number, and a notary? Assume they are legit, you can always sue the notary if they aren't."

Just another database to be stolen and used to create credit hell for those people listed in the database.

No thank you.

The only solution asshattery is pain. No, not virtual pain, REAL Ass Kicking Pain.

Isnt this a good sign? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23275368)

Captcha (and Recaptcha) were used as tools since machines were not smart enough to crack distorted charecters. The fact that they are able to do so now is great news! Now these techniques can be used in improving existing image recognition tools... provided there's a way to obtain access to the spammers toolbox.

Am looking forward to the first TRUE bot to post comments here...

Solution (1)

Archangel Michael (180766) | more than 6 years ago | (#23275412)

Spammers need to be shot.

The only reason to have these things is to try to limit spambots. Imagine if instead of spending Millions of dollars developing and maintaining anti spam technology, we used the money to assassinate Spammers, and the producers of the crap they sell, the problem would immediately disappear.

You know, I'm almost serious. Why is it that we tolerate Asshats in this world. This is the result of the namby pamby wimpy peaceniks that think when an asshat gets his lights punched out, that the person doing the punching is evil. No, they are not evil, they are providing a valuable service called "increasing cost" of the asshattery.

You see, being an asshat is an artform, delecately balancing upon the fringes of what is legal, but beyond what is ethical. The only way to combat asshattery is to become one temporarily, if only to deal with the asshats.

Re:Solution (1)

Grave (8234) | more than 6 years ago | (#23275532)

"We're dicks! We're reckless, arrogant, stupid dicks. And the Film Actors Guild are pussies. And Kim Jong Il is an asshole. Pussies don't like dicks, because pussies get fucked by dicks. But dicks also fuck assholes: assholes that just want to shit on everything. Pussies may think they can deal with assholes their way. But the only thing that can fuck an asshole is a dick, with some balls. The problem with dicks is: they fuck too much or fuck when it isn't appropriate - and it takes a pussy to show them that. But sometimes, pussies can be so full of shit that they become assholes themselves... because pussies are an inch and half away from ass holes. I don't know much about this crazy, crazy world, but I do know this: If you don't let us fuck this asshole, we're going to have our dicks and pussies all covered in shit!"

I think that's what you meant to say?

Re:Solution (0)

Anonymous Coward | more than 6 years ago | (#23275836)

Spammers need to be shot.... The only way to combat asshattery is to become one temporarily, if only to deal with the asshats.

I didn't know George W. Bush was on Slashdot!

Re:Solution (1)

rthille (8526) | more than 6 years ago | (#23276012)

Ha, we're getting the spammers to fund AI research...the more we make captcha's like Touring tests, the more they'll do AI research in their attempts to break it.

Re:Solution (0)

Anonymous Coward | more than 6 years ago | (#23276888)

Your ideas are intriguing to me, and I wish to subscribe to your newsletter.

Almost free? (0)

Anonymous Coward | more than 6 years ago | (#23275430)

What if these email accounts were "almost free" to sign up for? Would the number of scripted account creations drop if it cost $1 to sign up for one?

Captcha AI (1)

maino82 (851720) | more than 6 years ago | (#23275476)

I'm convinced that the next major breakthrough in artificial intelligence will come from spammers trying to develop more and more sophisticated programs to foil captchas. Eventually they will become so sophisticated that the true test of whether you are human is if you fail miserably at trying to figure out what the hell the captcha is, but the bots will get it instantly. I for one, welcome our new captcha-killing overlords.

hotcaptcha (1)

blhack (921171) | more than 6 years ago | (#23275538)

There was a captcha a while ago that pulled pictures and "hottness" information from hotornot.com, then asked the user to select three of the 9 people that were "hott". link [hotcaptcha.com]

While this approach probably wouldn't be very appropriate for "serious" companies to use (think IBM, microsoft, usbank, etc.) as protection from bots, I feel like it is a step in the right direction. There are things that humans are really good at and captcha builders need to start using them. For instance: show somebody 5 pictures of similarly sized and colored dogs, and ask them which one is a Golden Retriever, or show them 5 pictures of cars (like 4 ford Tauruses and 1 ferrari) and ask them to identify which one is the most expensive. or 5 pictures of people and ask which one is the oldest, 4 mopeds and 1 ducatti and which one is the fastest.

I could keep going, but the point is that we have evolved to be good at determining things that computers still have trouble with (like attractiveness).

Re:hotcaptcha (1)

spazdor (902907) | more than 6 years ago | (#23275890)

The problem is that all these options require photographs, which mean each new CAPTCHA requires some human-work to produce. If we're going to prevent spammers from just exhaustively cataloging the right answers, we need an automatable, procedural way to generate new ones.

Re:hotcaptcha (1)

blhack (921171) | more than 6 years ago | (#23276100)

And that is exactly where the problem is. Anything that has been CREATED by a computer can be reverse engineered by a computer. I know that there were some really HUGE databases created a few years ago that were trying to create artificial intelligence (one of them was called CYC, another was called GAC, there is a wired article about them here [wired.com] ) the idea was that people would answer hundreds of thousands of questions like "are purples round?" or similarly silly questions. The hope was that we could programs some sort of "sense" into the computer. As far as I know it failed horribly. BUT!, maybe we can resurrect it for captcha use: "Answer these 8 questions" or "which one of these questions is true"

Re:hotcaptcha (1)

RiotingPacifist (1228016) | more than 6 years ago | (#23278460)

The problem is that there are only 5 pictures, one in every 5 guesses will pass. If you expanded it as far as 10 pictures and then your down to 1 in 1024, but thats still less than a 2 letter capacha

Sure you could block any system that is wrong more than x times, but they have networks of drones and can get round the blocks in otherways ( proxies, forged IPs, etc)

The capcha thing is so over (1)

Animats (122034) | more than 6 years ago | (#23275558)

I think the capcha thing is about over. One alternative is identifying new users by texting a password to their cell phone. One account per cell phone number. This limits access to people with computers but not cell phones, but that's not much of an issue at this point. GMail used to do this.

Yes, you can buy vast numbers of SIM cards, but they're not free.

The main problem with this approach is that sending SMS messages is not free. Bulk services charge around US$0.05 to US$0.11 per message. However, for any service where a customer is worth more than a dime, it's a feasible idea.

There is a logical conclusion to be drawn . . . (1)

mmell (832646) | more than 6 years ago | (#23275738)

Eventually, the free service providers (free net mail in particular) will become predominantly the domain of spamsters. When that happens (and it will), admins like me will start blackholing them; then, end-users will be forced to abandon them. Finally, they'll be obliged to start doing something heinous, like requiring a paper form submitted via snail-mail before a new account can be set up.

The dim bulbs in our government will love this, because it'll provide the "accountability" they've been craving to track that much more of what the average citizen is doing online. The lawyers will have a field day when mistakes get made (as they inevitibly will). Eventually, some particularly malicious government type will mandate TCM and biometrics on new computer hardware, tied to strong encryption (but only for the specified tracking and other "benign" government uses).

OMG - teh tubes! Ted Stevens was right! We've got to put some check-valves and emergency-cutoffs on teh intarweb, to protect our babies from the evils of Smiling Bob, Cialis and Debbie (who really wants me). Won't someone think of the children?

God, I hope I just need to get a tinfoil hat. I really do.

Audio CAPTCHAs that bite... (1)

spazdor (902907) | more than 6 years ago | (#23275762)

I've wanted to gripe about this for ages, but here it finally seems on-topic:

Slashdot's audio CAPTCHA is a joke.

The computer voice SPELLS the word for you letter-by-letter. A bot wouldn't even have to use heuristics-based speech recognition, just searching for 26 waves (or FFT signatures) would do the trick.

FAILZORS (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23275820)

of business and was or a public club, parts. The current 5tudy. [rice.edu] need your help! of open-source. Of OpenBSD versus things in Has brought upon

you must be a bot (0)

Anonymous Coward | more than 6 years ago | (#23275886)

Saw this yesterday and laughed. http://www.handrooster.com/comics/20070427.gif [handrooster.com]

captchas are a dead end (1)

vux984 (928602) | more than 6 years ago | (#23276026)

The fundamental problem with captcha's is that they are using computers to come up with problems for humans. If a computer can come up with the problem, a computer can come up with the solution.

Captcha's so far are relying on a human strengths at visual perception, edge finding, pattern recognition, etc to retrieve distorted data. But these are simply processing issues. And computers will eventually solve them all.

The proposals for 'better captchas' revolve around the idea of having more complex problems of semantics and meaning. But the issue there is that machines can't generate such problems. And human's don't want to be bothered with it, so the problem set ends up being quite small, and falls easily to a dictionary attack.

I think the solution will ultimately be based in encryption. We need problems that are just plain hard for anybody, all the time. And crypto satisfies that. We'll sign messages with keys.

To preserve anonymity, some sort of reputation system and chain of trust could step up. You get people with good reputations to sign your key, and you in turn sign other people's keys. You'll be reluctant to sign keys that you don't think are really people because the reputation system will reward you if the keys you sign develop good reputations themselves, or punish your key if its been found to have signed keys for bots etc.

Not all keys need be anonymous, and some could be 'verified by Verisign as a real person' etc. Of course such a key would still be subject to the reputation system, and subject to key revocation if it gets handed over to a bot-script or something... but it would get a bonus to reputation at the start.

A disadvantage is that all your posts anywhere would be linked to each other. So even if not linked to you, they would be linked to each other. They'd have to be for a reputation system to work.

You could get true anonymity - by having a 'good reputation' key, and a distributed 'tor-like' service that will take your 'good reputation' key as input, and return a one-time use key that's signed by the 'tor-like' service. The service would keep track only that it had issued a key for your 'good reputation key', not which key it had issued. So someone could only track the post back to 'tor-like service'.

The reason it would record that it had issued a key for you, would be to limit you to 10 one time keys per day or something. So that you couldn't blow spam through the service... or at least... very little spam.

Probably not perfect, and I'm just thinking off the top of my head... but it seems like an approach that could work.

Re:captchas are a dead end (1)

jfengel (409917) | more than 6 years ago | (#23276688)

I've been thinking about something like this for a while. I think about it in terms of OpenID, where you get to define the terms of authentication by running your own server.

Service providers like GMail can turn that around and say, "OK, but we're only going to accept authentication from certain providers, who have confirmed to us one way or another that they reliably identify you as a human."

OpenID separates authentication from the services, so you don't have a single database to be compromised. The most desirable ones (the ones that many service providers will accept) will still be serious targets, and they'll have to be VERY careful to use crypto to keep things safe, but at least it won't be a single point of failure.

It would be up to the individual identity providers to verify your humanity, from really good CAPTCHAs to showing up in person. The good part, though, is that it lets the service providers like GMail outsource the effort, so they can get back to doing what they're good at.

Why not a mixed approach? (1)

shift3 (911297) | more than 6 years ago | (#23276054)

Ok.. so Audio CAPTCHAs have been broken. Visual ones have been broken... Why not either Mix the two? or require some actual LOGIC to answer it? Maybe a picture of a cat. then 4 radio buttons asking what this is a picture of. If you are unable to tell what a CAT is in the picture, then you shouldn't be on the internet anyway.

Or maybe a multi-visual CAPTCHA. 2 Captchas. 2 Text boxes. Captcha 1, goes to text box 2, or can even be swapped.

CAPTCHA one says "Enter 12345 in box 2"
CAPTCHA one says "Enter DOG in box 1"

These can be rearranged on the server side. Sometimes 1 goes in 1, 2 goes and 2, etc. Even though the Captcha can be read by the computer, it would then have to be able to figure out what the sentence is saying. These don't have to be as easy as the examples. It could say "Box 1 should contain a dog" change the structure around so it would just take even more programming to figure out what should go where.

Again, this will be broken too. But at least there is a 50% chance that it will get it wrong even if the CAPTCHA was broken.

Just a thought.

Hearing impaired only (1)

magarity (164372) | more than 6 years ago | (#23276126)

All I can say is, I'm glad most spammers aren't hearing impaired or else this might really turn into a problem.

The problem is in a different plane (1)

mapkinase (958129) | more than 6 years ago | (#23276354)

Digital world is the world of non-humans and humans are aliens in it. The robots are naturals and they do all that interaction with this world much easier and more effectively.

Currently the dark underinternet world of spambots, worms, viruses, malware, etc. does not have limits in the arms race, while the world of positive use of internet does have them. There is no digital robotic police that have power to enter our private digital domains and check for suspicious activity. There are no government sponsored botnets attacking spamnets.

One limited attempt of the private company to attack spamnetworks failed miserably. It's like vigilante film noir where the mafia wins.

The digital world is the world of warlords that terrorize citizens. They could be relatively safe in their houses protected by antiviruses, Noscripts and ABP, but if they are going outside - anything goes. They have lists of safe green zones, but the rest is the dark zone.

It must have occurred to many of you by now (1)

museumpeace (735109) | more than 6 years ago | (#23277590)

that this "arms race" of escalating sophistication of captchas and equally sophisticated cracks is actually a form of the Turing test but one conducted with the ethics of a street brawl.

We do occasionally find the question "Are you human?" posed in proximity to the captcha.

Re:It must have occurred to many of you by now (1)

acheron12 (1268924) | more than 6 years ago | (#23277836)

I wonder whether spammers trying to crack captchas are accelerating AI research, or just misusing it?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>